Dartmouth College has officially confirmed a major data breach after the notorious Clop extortion gang leaked sensitive files allegedly stolen from the institution’s Oracle E-Business Suite (EBS) servers. The incident highlights a rapidly escalating cybersecurity crisis impacting several high-profile organizations that rely on Oracle’s enterprise platforms.
According to the college’s notification letter filed with Maine’s Attorney General, attackers exploited a zero-day vulnerability in Oracle EBS, allowing them to extract personal data belonging to at least 1,494 individuals. While this figure reflects only those notified through Maine’s system, the actual number of affected people may be significantly higher. Dartmouth, headquartered in Hanover, New Hampshire, has not yet filed a broader notification with its home state.
Early findings from the institution’s internal investigation indicate that hackers accessed Dartmouth’s systems between August 9 and August 12, 2025, quietly exfiltrating documents containing names, Social Security numbers, and in some cases, financial account information. Notification letters issued on October 30 confirmed that the compromised files included personally identifiable data requiring immediate monitoring and protective measures.
While Dartmouth did not comment publicly on the ransom demanded by Clop, the gang quickly added the institution to its dark web leak site, making stolen files available for download. Security analysts warn that such exposure significantly increases risks of identity theft, account takeover, and financial fraud for those affected.
The Dartmouth intrusion is part of a broader, coordinated attack wave driven by Clop, which has been actively exploiting the Oracle EBS zero-day vulnerability tracked as CVE-2025-61882. Google Threat Intelligence Group analyst John Hultquist told BleepingComputer that dozens of organizations have likely been compromised through the same exploit.
Clop’s victim list from this campaign is already extensive, with confirmed breaches at Harvard University, The Washington Post, Logitech, GlobalLogic, and Envoy Air, an American Airlines subsidiary. The gang’s leak site now hosts numerous archives of stolen data, shared publicly via Torrent.
This incident adds to Clop’s long track record of high-impact supply chain attacks. The group previously leveraged vulnerabilities in MOVEit Transfer, affecting more than 2,770 organizations, as well as flaws in Accellion FTA, GoAnywhere MFT, and Cleo platforms. In response to the threat posed by Clop, the U.S. Department of State has issued a $10 million reward for actionable intelligence connecting the group to a foreign government.
In parallel to the Oracle-related breaches, Ivy League institutions have recently been hit by voice phishing attacks, with Harvard University, Princeton University, and the University of Pennsylvania confirming unauthorized access to systems used for alumni and donor engagement. The combined surge of technical exploits and social engineering underscores a growing trend targeting educational institutions with valuable personal and financial data.
Conclusion: The Dartmouth College breach reinforces a stark reality facing higher education institutions: sophisticated cybercriminal groups are exploiting both technical vulnerabilities and human weaknesses to infiltrate critical systems. As Clop’s campaign expands, universities must accelerate investments in proactive cybersecurity measures, vulnerability monitoring, and community awareness training to safeguard sensitive information. Dartmouth’s disclosure is likely only one chapter in a much larger story affecting organizations worldwide.
